CapitalGuard
Observatory v1.0.0Updated July 13, 2026

THE PUBLIC RECORD OF WHAT AI CAN REACH.

Permissions change. Agents act. Advisories land. CapitalGuard tracks the official evidence, the control gaps, and the exact point where convenience becomes exposure.

Exposure state

Evidence before opinion.

CapitalGuard

10

Tool records

32

Cited sources

8

Tracked signals

6

Synthetic tests

Claim boundary

Scores measure public control documentation. They do not measure breach probability or guarantee safety.

Continuously watched. Editorially controlled.

Official sources are checked daily. Changed pages are quarantined for review; scores never rewrite themselves.

Source Freshness

Threat wire

The risks are documented. Check your version.

All Advisories
critical · CVE-2025-599442025-10-03

Cursor sensitive-file protection bypass

Affected Cursor releases used case-sensitive checks around sensitive files, enabling a prompt-injection path to modify protected configuration on case-insensitive filesystems.

Action: Update to Cursor 1.7 or later and review repository-controlled AI configuration before trust is granted.

high · CVE-2026-227082026-01-14

Cursor terminal allowlist bypass

In a non-default Auto-Run plus Allowlist configuration, shell built-ins could alter environment variables without appearing in the command allowlist.

Action: Update to Cursor 2.3 or later and avoid treating command-name allowlists as a complete execution boundary.

high · CVE-2026-248872026-02-03

Claude Code confirmation-prompt bypass

A command-parsing error could bypass the confirmation prompt and trigger an untrusted command when attacker-controlled content entered context.

Action: Update to 2.0.72 or later and keep untrusted repository content outside command-authorizing context.

high · CVE-2025-595322025-09-22

Codex workspace sandbox-boundary bypass

Affected Codex releases could treat a model-generated working directory as the sandbox writable root, bypassing the intended workspace boundary.

Action: Use Codex CLI 0.39.0 or later and IDE extension 0.4.12 or later, then verify the effective writable root before sensitive work.

high · CVE-2025-540732025-07-18

MCP package-documentation server command injection

Unsanitized package arguments reached a shell command, creating a path from tool input or indirect prompt injection to command execution.

Action: Update to 0.1.28 or later and use argument-safe process APIs rather than shell interpolation.

critical · CVE-2026-405762026-04-12

Remote MCP spreadsheet server path traversal

Affected remote deployments failed to confine file paths to the configured spreadsheet directory, allowing arbitrary file read and write operations.

Action: Update to 0.1.8 or later, bind remote services narrowly, authenticate requests, and validate resolved paths against the approved root.

Reproducible benchmark

Synthetic evidence. Zero customer data.

Six inert fixtures test the CapitalGuard detection contract against Standard 1.0.0. The harness reads markers; it never runs fixture commands or vendor products.

RUN SHA-256 83f0586a997443653c6ac7f445fc127521320154eb6022454bb4908a8cb74478

CGO-TV-001

Secret-bearing path signal

CGS-SEC-001 · CGS-DATA-001

Pass
CGO-TV-002

Untrusted repository instruction

CGS-INJ-001

Pass
CGO-TV-003

Broad workflow authority

CGS-PRIV-001 · CGS-HUMAN-001

Pass
CGO-TV-004

Synthetic customer-data surface

CGS-DATA-001

Pass
CGO-TV-005

Missing machine policy

CGS-POL-001

Pass
CGO-TV-006

Command-authority marker

CGS-HUMAN-001 · CGS-PRIV-001

Pass

Practical coverage

One record. Four decisions.

Everyday AI users

See which files, history, memory, and apps can enter context.

Check my access

Freelancers

Protect client files, credentials, shared links, and connected workspaces.

Open evidence guides

Developers

Map repository scope, commands, workflows, prompts, and agent permissions.

View Pro

Businesses

Create a signed baseline, policy evidence, and a reviewable Guardprint record.

View Agency

CapitalGuard Standard + signed Guardprints

Open controls. Public keys. Verifiable records.

Standard 1.0.0 defines the controls. SHA-256 binds the evidence state. Ed25519 signs official attestations. The registry exports only privacy-safe public proof.

Fund the record. Protect your own system.

Independent evidence survives when users back it.

A CapitalGuard license creates your own actionable security baseline and supports continued source review, benchmark maintenance, and public change tracking.

Choose a License